General Services Administration: Many Building Security Upgrades Made But
Problems Have Hindered Program Implementation (Testimony, 06/04/98,
GAO/T-GGD-98-141)

APPENDIX
II

INFORMATION
ON DOJ REPORT-RECOMMENDED CRITERIA FOR

FEDERAL
BUILDING SECURITY

GSA
USED CRITERIA IN DOJ REPORT FOR

ITS
BUILDING SECURITY UPGRADE PROGRAM

In
July 1995, the Federal Protective Service (FPS) began its process
for identifying and prioritizing building security upgrade needs
and cost estimates using the criteria, guidance, and timetable
recommended by the DOJ report, which was issued on June 28, 1995.
The DOJ report established 52 minimum security standards in 4
separate categories, which were to be considered for buildings
under GSA's operation based on their assessed risk level. GSA
assigned initial risk level designations to its buildings based
on information it had on file. Building security committee (BSC)
and FPS staff were to subsequently assign the buildings a risk
level, using the DOJ report's more definitive criteria, and
evaluate them to determine needed security upgrades and the
estimated costs for the upgrades.

Building
Risk Levels

Using
DOJ report criteria, BSC and FPS staff were to place buildings
under GSA's operation into risk levels. The DOJ criteria included
tenant population, volume of public contact, size, and agency
sensitivity, with level V the highest risk level and level I the
lowest, as follows:

Level
V: A building that contains mission functions critical to
national security, such as the Pentagon or CIA Headquarters. A
Level-V building should be similar to a Level-IV building in
terms of number of employees and square footage. It should have
at least the security features of a Level-IV building. The
missions of Level-V buildings require that tenant agencies secure
the site according to their own requirements.

Level
IV: A building that has 451 or more federal employees; high
volume of public contact; more than 150,000 square feet of space;
and tenant agencies that may include high-risk law enforcement
and intelligence agencies, courts, and judicial offices, and
highly sensitive government records.

Level
III: A building with 151 to 450 federal employees;
moderate/high volume of public contact; 80,000 to 150,000 square
feet of space; and tenant agencies that may include law
enforcement agencies, court/related agencies and functions, and
government records and archives. (According to GSA, at the
request of the Judiciary, GSA changed the designation of a number
of buildings housing agencies with court and court-related
functions from Level III to Level IV.)

Level
II: A building that has 11 to 150 federal employees; moderate
volume of public contact; 2,500 to 80,000 square feet of space;
and federal activities that are routine in nature, similar to
commercial activities.

Level
I: A building that has 10 or fewer federal employees; low
volume of public contact or contact with only a small segment of
the population; and 2,500 or less square feet of space, such as a
small "store front" type of operation.

Facility
Evaluations

BSCs
were also to prepare facility evaluations based on the DOJ
minimum standards. The facility evaluations, containing requested
security upgrades, justifications, and estimated costs for each
upgrade were to be submitted to the applicable FPS regional
offices for review and approval. Security upgrades costing more
than $100,000 to acquire or having an annual operating cost
greater than $150,000 required final approval at FPS
headquarters.

FPS
regional staff focused their evaluation efforts on level-IV
buildings first, followed by levels III through I, consistent
with the timetable recommended by the DOJ report and endorsed by
the President. Funding of upgrades generally followed this same
progression, with FPS focusing first on level-IV buildings and
then levels III through I. Each FPS region established its own
building security upgrade implementation schedule based on
coordination with other involved PBS components and the
individual requirements of the various types of security
upgrades. For example, some upgrades required design and
engineering work before actual installation could proceed, and
some required coordination and approvals from local governments
and historical building societies before work could proceed.

In
early 1996, FPS completed a computerized database system to
track, by regional office and by building, all BSC-requested
security upgrades. This tracking system was to include the date
each upgrade was approved or disapproved; the estimated cost of
acquiring, installing, and operating the upgrade; and its
scheduled and actual completion status. Each FPS region was to
have a database of its buildings and was responsible for
maintaining its database. FPS headquarters staff periodically
uploaded and entered data into each region's database to show
headquarters' approval actions on requested upgrades, where
required. FPS headquarters staff also consolidated the regional
databases for its own use in tracking the nationwide security
upgrade program.

Application
of DOJ Standards to Security Risk Levels

The
DOJ report established 52 minimum security standards in the
categories of perimeter security, entry security, interior
security, and security planning to be considered for a building
based on its assessed risk level. Tables II.1 through II.4 show
how the DOJ report's minimum security standards are to be applied
to each building on the basis of its assessed risk level. For
example, control of facility parking is recommended as a minimum
standard for buildings in security level III through V and
recommended as desirable for buildings in security levels I and
II.